If we think in the context of LLMs, why is it easier to find a single vulnerability than to patch every vulnerability? If the defender and the attacker are using the same LLM, the defender will run "find a critical vulnerability in my software" until it comes up empty and then the attacker will find nothing.

Defenders are favored here too, especially for closed-source applications where the defender's LLM has access to all the source code while the attacker's LLM doesn't.

You also need to deploy the patch. And a lot of software doesn't have easy update mechanisms.

A fix in the latest Linux kernel is meaningless if you are still running Ubuntu 20.